During the course of its normal operation, Bro
produces a large volume of log files. This series of exercises
examines the Bro log output format, and highlights a few
extremely useful utilities that can be used to extract data from
and/or process this information.

Part 1: Generating Logs

Exercise

Run bro with the -r option, and provide the http.pcap file. For more information on bro options, please run
bro with the -h option.

Part 2: Matching Records to Log Fields

and then interpret the fields in each of the resulting logs. Examine
relevant records in the associated script files; be sure to look for
the &log directive when examining those files.

Note

Record definitions can normally be found in
$PREFIX/share/bro/base/protocols/<PROTO>/main.bro in the
in the installation directory (or scripts/base/protocols/...
in the Bro source tree).

Part 3: Connection Statistics

Bro summarizes each TCP and UDP connection as a single line in the
conn.log. Because these connection summaries are quite detailed, you can
extract plenty useful statistics from it. For the following two parts, use the
log files generated from the trace 2009-M57-day11-18.trace.gz
via bro -r2009-M57-day11-18.trace.pcap.

Exercise

List the connections by in increasing order of duration, i.e., the longest
connections at the end.

Exercise

Find all connections that are last longer than one minute.

Exercise

Find all IP addresses of web servers that send more than more than 1 KB
back to a client.

Exercise

Are there any web servers on non-standard ports (i.e., 80 and 8080)?

Exercise

Show a breakdown of the number of connections by service.

Exercise

Show the top 10 destination ports in descending order.

Exercise

What are the top 10 hosts (originators) that send the most traffic?

Part 4: HTTP Statistics

Exercise

What are the distinct browsers in this trace? What are the distinct MIME
types of the downloaded URLS?

Exercise

What are the three most commonly accessed web sites?

Exercise

What are the top 10 referred hosts?

Part 5: Tweaking Log Output

Exercise

Tell Bro to include the new_separator.bro
script, and then re-process http.pcap. After verifying that the
separator character has, in fact, changed, modify the separator
character defined in new_separator.bro to be something slightly
more interesting. Next, re-run Bro and verify that the separator
character worked as expected and that the #separator field at the
top of the file was updated appropriately. Now, add a line to
new_separator.bro that will change the comment character used in
the log file; consult base/frameworks/logging/writers/ascii.bro to
determine the appropriate incantation.